-
Bug
-
Resolution: Done
-
Undefined
-
None
-
4.12.z
-
Quality / Stability / Reliability
-
False
-
-
5
-
Moderate
-
No
-
None
-
None
-
T&PS 2023 #6, T&PS 2023 #7
-
2
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
In assisted installer when I want to enable TANG encryption I am asked for Server Thumbprint. Unfortunately, the assisted installer or any documentation I was able to find do not explain how to get such thing.
Version-Release number of selected component (if applicable):
Latest as of May 12, 2023
How reproducible:
Always
Additional info:
Discussion from #assisted-installer-forum slack channel:
5d
dyocum
Hello! A customer has this question:
In assisted installer when I want to enable TANG encryption I am asked for Server Thumbprint. Unfortunately, the assisted installer or any documentation I was able to find do not explain how to get such thing.
5d
Trey West
I think this doc explains it: https://docs.openshift.com/container-platform/4.9//security/network_bound_disk_encryption/nbde-managing-encryption-keys.html
They should be able to run tang-show-keys <tang-port> on their tang server and it will be displayed
4d
Jakub Bittner
But only if you have root access to TANG server. What should you do if you do not?
I opened that case, because I need to get a thumbprint of tang2.nbde-001.prod.iad2.dc.redhat.com in order to install encrypted workers and I do not have root access to it.
4d
Trey West
@Jakub Bittner
you can also see the thumbprint if you run this:
echo okay | clevis encrypt tang '{"url":"http://<tang-server>:<tang-port>"}'
You will get an interactive prompt that shows the signing key which is the thumbprint. You can then verify it works by running:
echo okay | clevis encrypt tang '{"url":"http://<tang-server>:<tang-port>", "thp": "<thumbprint>"}' | clevis decrypt
:white_check_mark:
1
4d
Trey West
@Nir Magnezi
I see documentation for how to retrieve the tang server thumbprint when a user has access to the tang server but nothing straightforward on how to get it from the client side. Do you know of some documentation that explains it?
4d
Jakub Bittner
I have seen such howto in the past somewhere in older openshift version docs, but I can not find it
1d
dyocum
@Nir Magnezi
Do you have an answer to Trey's question :point_up: ? (edited)
New
9h
Nir Magnezi
When I learned this protocol I used: https://github.com/latchset/tang#tang-protocol
9h
Nir Magnezi
it does specify how to fetch pub keys / pub keys using using specified signing key
